Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects to ad4.doubleclicker.net cleanup


  • This topic is locked This topic is locked
11 replies to this topic

#1 stealthspark

stealthspark

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 07 February 2009 - 08:04 PM

For additional information on what's been done and for what the problems are in chronological order please see:

http://forum.kaspersky.com/index.php?showtopic=103014

http://www.bleepingcomputer.com/forums/t/200995/combofix-wont-restart-computer/

http://www.bleepingcomputer.com/forums/t/201071/google-redirecting-to-ad4doubleclickernet-cleanup/ ~ OB


Hello, I removed a malicious driver C:\WINDOWS\System32\Drivers\a3eqvdx0.SYS that redirected my google results to ad4.doubleclicker.net. While the problem seemed to stop, I'm worried I have not removed all the malicious files.

DDS (Ver_09-02-01.01) - NTFSx86
Run by (Julian) at 19:57:13.70 on 2009-02-07
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2512 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\program files\steam\steam.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\(Julian)\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: {1E6615CE-B908-408D-AA6F-A974E981CC87} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [UberIcon] "c:\program files\ubericon\UberIcon Manager.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Lycosa] "c:\program files\razer\lycosa\razerhid.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202180480421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {BD5F5800-20DE-4098-A25E-DCFE731EDEBB} = 68.87.74.162,68.87.68.162
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\(julian)\applic~1\mozilla\firefox\profiles\jili0d2s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\documents and settings\(julian)\application data\mozilla\firefox\profiles\jili0d2s.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {0DE5ECF7-EBBD-4011-9E4D-3A766447D85E} - c:\documents and settings\(julian)\local settings\application data\{0DE5ECF7-EBBD-4011-9E4D-3A766447D85E}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-25 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-8-3 21888]
S1 fdcc;fdcc; [x]
S2 Ca533av;DC-T23, WDM Video Capture; [x]
S2 EFAW;EFAW;c:\windows\system32\drivers\efasw.sys [2007-11-9 16680]
S2 EZWRIT3;EZWRIT3;c:\windows\system32\drivers\ezwrit3.sys [2007-11-5 12672]
S2 INIT4;INIT4;c:\windows\system32\drivers\efasinit.sys [2007-11-9 11815]
S3 adxapie;adxapie; [x]
S3 APLOADER;APLOADER;c:\windows\system32\drivers\ApLoader.SYS [2007-11-7 21376]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-5-10 16512]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-1-3 13225]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver; [x]
S3 USBCamera;DSC Still Image Capture (CA100); [x]

=============== Created Last 30 ================

2009-02-07 02:11 --d-hr-- c:\documents and settings\(julian)\Recent
2009-02-05 23:59 197 a------- C:\Delme.bat
2009-02-05 00:48 389,120 a------- c:\windows\system32\CF26079.exe
2009-02-05 00:48 389,120 a------- c:\windows\system32\CF25994.exe
2009-02-03 21:04 a-dshr-- C:\cmdcons
2009-02-03 21:03 98,816 a------- c:\windows\sed.exe
2009-02-03 21:03 389,120 a------- c:\windows\system32\CF27492.exe
2009-02-02 16:54 --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 01:23 --d----- c:\docume~1\(julian)\applic~1\SoundSpectrum
2009-02-02 01:23 --d----- c:\program files\SoundSpectrum
2009-02-02 01:21 --d----- c:\windows\system32\XPSViewer
2009-02-02 01:21 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-02 01:21 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-02 01:21 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-02 01:21 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-02 01:21 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-02 01:21 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-02 01:21 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-02 01:21 --d----- c:\windows\SxsCaPendDel
2009-02-02 00:50 --d----- c:\docume~1\(julian)\applic~1\Malwarebytes
2009-02-02 00:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-02 00:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 00:50 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 00:50 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-02 00:19 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-02-01 14:05 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-29 19:21 --d----- c:\docume~1\(julian)\applic~1\Windows Search
2009-01-25 23:58 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-25 22:30 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-25 22:29 -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 22:29 --d----- c:\program files\Lavasoft
2009-01-15 00:31 --d----- c:\windows\Freecorder Toolbar
2009-01-15 00:31 --d----- c:\program files\Freecorder Toolbar
2009-01-12 19:32 --d----- c:\program files\Alcohol Soft
2009-01-12 17:25 89,264 a------- c:\windows\system32\drivers\DRVMCDB.SYS
2009-01-12 17:25 40,544 a------- c:\windows\system32\drivers\DRVNDDM.SYS
2009-01-12 17:25 94,263 a------- c:\windows\DLA.EXE
2009-01-12 17:25 61,500 a------- c:\windows\system32\DLAAPI_W.DLL
2009-01-12 17:25 22,684 a------- c:\windows\system32\drivers\DLARTL_N.SYS
2009-01-12 17:25 5,660 a------- c:\windows\system32\drivers\DLACDBHM.SYS
2009-01-12 17:25 --d----- c:\windows\system32\DLA

==================== Find3M ====================

2009-01-27 18:24 34 a------- c:\documents and settings\(julian)\jagex_runescape_preferences.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-05 19:07 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-01 17:23 4,212 a---h--- c:\windows\system32\zllictbl.dat
2007-01-28 23:14 56 a--shr-- c:\windows\system32\306C1FB3F3.sys
2008-01-31 16:42 56 a--shr-- c:\windows\system32\328C12221E.sys
2008-01-31 16:46 6,424 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:57:55.54 ===============

Attached Files


Edited by Orange Blossom, 08 February 2009 - 07:00 PM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:06 AM

Posted 15 February 2009 - 07:24 AM

Hello Stealthspark and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 stealthspark

stealthspark
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 04 March 2009 - 01:59 PM

Included in this post is the GooredFix Log.

I did not run Combofix because it previously did not automatically restart my computer (even after hours), resulting in a manual restart, no log, and messed up time/date settings. Further details regarding the Combofix problem (the solution was to solve the original problem without Combofix) are located in the 3 links at the beginning of my first post.

Thank you.


GooredFix v1.91 by jpshortstuff
Log created at 13:54 on 04/03/2009 running Option #2 ((Julian))
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:06 AM

Posted 04 March 2009 - 05:34 PM

Hello Stealthspark,

In that case :

Delete your current copy of ComboFix,
then download Combofix again to your desktop. You must however rename it before saving it.

Posted Image

Posted Image

Now reboot your system and start in safe mode :
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode with Networking.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode with Networking option and press Enter.

Now run the renamed ComboFix.
ComboFix should run as expected now.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 stealthspark

stealthspark
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 07 March 2009 - 06:10 PM

It works! Thank you so much!! Included in this post is the Combofix log.


ComboFix 09-03-06.02 - (Julian) 2009-03-07 17:49:29.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2752 [GMT -5:00]
Running from: c:\documents and settings\(Julian)\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-07 01:43 . 2009-03-07 01:43 <DIR> d-------- c:\windows\system32\AGEIA
2009-03-07 01:43 . 2009-03-07 01:43 <DIR> d-------- c:\program files\AGEIA Technologies
2009-03-02 23:07 . 2009-03-07 02:03 <DIR> dr-h----- c:\documents and settings\(Julian)\Recent
2009-03-01 17:25 . 2009-03-01 17:25 <DIR> d-------- c:\program files\LG Electronics
2009-03-01 17:25 . 2007-04-09 09:55 22,912 --a------ c:\windows\system32\drivers\lgusbmodem.sys
2009-03-01 17:25 . 2007-04-09 09:56 21,248 --a------ c:\windows\system32\drivers\lgusbdiag.sys
2009-03-01 17:25 . 2007-04-09 09:53 12,672 --a------ c:\windows\system32\drivers\lgusbbus.sys
2009-02-28 23:00 . 2009-02-28 23:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\ElectricSheep
2009-02-28 16:07 . 2006-06-20 03:56 225,280 --a------ c:\windows\system32\rewire.dll
2009-02-28 16:04 . 2009-02-28 16:23 <DIR> d-------- c:\program files\Image-Line
2009-02-28 15:51 . 2009-02-28 15:51 <DIR> d-------- c:\program files\Enterbrain
2009-02-28 15:50 . 2009-02-28 15:50 <DIR> d-------- c:\program files\Common Files\Enterbrain
2009-02-26 18:01 . 2009-02-26 23:31 <DIR> d-------- c:\program files\MP3Gain
2009-02-25 22:43 . 2009-02-25 22:43 <DIR> d-------- c:\documents and settings\(Julian)\Application Data\Music Recognition
2009-02-24 19:36 . 2009-01-09 14:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-02-18 06:59 . 2009-02-18 07:02 <DIR> d-------- c:\windows\system32\DLA
2009-02-18 06:59 . 2005-11-07 05:20 94,263 --a------ c:\windows\DLA.EXE
2009-02-18 06:59 . 2005-09-12 03:30 89,264 --a------ c:\windows\system32\drivers\DRVMCDB.SYS
2009-02-18 06:59 . 2005-11-07 05:20 61,500 --a------ c:\windows\system32\DLAAPI_W.DLL
2009-02-18 06:59 . 2005-08-12 05:20 40,544 --a------ c:\windows\system32\drivers\DRVNDDM.SYS
2009-02-18 06:59 . 2005-11-18 12:02 22,684 --a------ c:\windows\system32\drivers\DLARTL_N.SYS
2009-02-18 06:59 . 2005-11-18 12:02 5,660 --a------ c:\windows\system32\drivers\DLACDBHM.SYS
2009-02-09 17:30 . 2009-02-09 17:30 <DIR> d-------- c:\program files\Citrix
2009-02-09 17:30 . 2009-02-09 17:30 60,744 --a------ c:\documents and settings\(Julian)\g2mdlhlpx.exe
2009-02-07 22:35 . 2009-02-07 22:35 <DIR> d-------- c:\program files\Norton Ghost
2009-02-07 22:19 . 2009-02-07 22:19 <DIR> d-------- c:\program files\Symantec
2009-02-07 22:17 . 2007-12-20 17:13 136,416 --a------ c:\windows\system32\drivers\symsnap.sys
2009-02-07 22:17 . 2008-01-19 20:12 128,104 --a------ c:\windows\system32\drivers\WimFltr.sys
2009-02-07 22:17 . 2008-01-19 19:45 38,112 --a------ c:\windows\system32\drivers\v2imount.sys
2009-02-07 22:17 . 2008-01-19 19:40 15,088 --a------ c:\windows\system32\drivers\vproeventmonitor.sys
2009-02-07 22:16 . 2009-02-07 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 20:46 --------- d-----w c:\program files\Steam
2009-03-07 06:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-03 06:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 06:13 --------- d-----w c:\program files\Trojan Remover
2009-03-03 05:41 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-01 22:28 --------- d-----w c:\program files\Common Files\Real
2009-03-01 22:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-28 20:47 --------- d-----w c:\documents and settings\(Julian)\Application Data\uTorrent
2009-02-26 23:01 --------- d-----w c:\program files\Dell
2009-02-19 22:37 --------- d-----w c:\program files\Chips Challenge
2009-02-19 01:17 --------- d-----w c:\program files\Guild Wars
2009-02-18 23:27 --------- d-----w c:\documents and settings\(Julian)\Application Data\SoundSpectrum
2009-02-18 23:19 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-02-18 11:59 --------- d-----w c:\program files\Roxio
2009-02-15 05:13 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-15 01:10 --------- d-----w c:\program files\Freecorder Toolbar
2009-02-10 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-08 04:24 --------- d-----w c:\program files\UberIcon
2009-02-08 03:57 --------- d-----w c:\documents and settings\(Julian)\Application Data\Symantec
2009-02-08 03:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-08 00:39 --------- d-----w c:\program files\DVD Decrypter
2009-02-06 05:00 197 ----a-w C:\Delme.bat
2009-02-02 22:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-02 21:54 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-02 06:22 --------- d-----w c:\program files\iTunes
2009-02-02 06:21 --------- d-----w c:\program files\Reference Assemblies
2009-02-02 06:21 --------- d-----w c:\program files\MSBuild
2009-02-02 05:50 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-02 05:50 --------- d-----w c:\documents and settings\(Julian)\Application Data\Malwarebytes
2009-02-02 05:19 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-01 03:03 --------- d-----w c:\program files\Warcraft III
2009-01-31 06:14 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-01-30 20:30 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2009-01-30 00:21 --------- d-----w c:\documents and settings\(Julian)\Application Data\Windows Search
2009-01-27 23:24 34 ----a-w c:\documents and settings\(Julian)\jagex_runescape_preferences.dat
2009-01-26 04:10 --------- d-----w c:\program files\Hydrogen
2009-01-26 03:30 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-01-26 03:29 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-26 03:29 --------- d-----w c:\program files\Lavasoft
2009-01-20 02:02 --------- d-----w c:\program files\CCleaner
2009-01-17 02:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 04:21 --------- d-----w c:\documents and settings\(Julian)\Application Data\U3
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 00:32 --------- d-----w c:\program files\Alcohol Soft
2009-01-12 02:28 --------- d-----w c:\program files\DVDVideoSoft
2009-01-07 16:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 14:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2007-01-29 04:14 56 --sha-r c:\windows\system32\306C1FB3F3.sys
2008-01-31 21:42 56 --sha-r c:\windows\system32\328C12221E.sys
2008-01-31 21:46 6,424 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Steam"="c:\program files\steam\steam.exe" [2008-10-08 1410296]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2007-08-17 159744]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-31 509784]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-03 02:26 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\zathic\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\zathic\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\zathic\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\zathic\\garrysmod\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\trackmania united\\TmForever.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\trackmania united\\TmForeverLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6115:TCP"= 6115:TCP:Warcraft III
"3724:TCP"= 3724:TCP:WoW1
"3724:UDP"= 3724:UDP:WoW2
"6112:TCP"= 6112:TCP:WoW3
"6115:UDP"= 6115:UDP:Warcraft III
"2350:TCP"= 2350:TCP:Trackmania
"3450:TCP"= 3450:TCP:Trackmania
"2350:UDP"= 2350:UDP:Trackmania
"3450:UDP"= 3450:UDP:Trackmania
"1200:UDP"= 1200:UDP:Source
"27015:TCP"= 27015:TCP:Counter Strike
"27015:UDP"= 27015:UDP:Counter Strike

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-25 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-08-03 21888]
S1 fdcc;fdcc; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]
S2 Ca533av;DC-T23, WDM Video Capture; [x]
S2 EFAW;EFAW;c:\windows\system32\drivers\efasw.sys [2007-11-09 16680]
S2 EZWRIT3;EZWRIT3;c:\windows\system32\drivers\ezwrit3.sys [2007-11-05 12672]
S2 INIT4;INIT4;c:\windows\system32\drivers\efasinit.sys [2007-11-09 11815]
S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2005-08-16 5120]
S3 adxapie;adxapie; [x]
S3 APLOADER;APLOADER;c:\windows\system32\drivers\ApLoader.SYS [2007-11-07 21376]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-05-10 16512]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-01-03 13225]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver; [x]
S3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
S3 USBCamera;DSC Still Image Capture (CA100); [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MCSTRM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07c02cf8-e10c-11dd-bdee-001372eb1325}]
\Shell\AutoRun\command - X:\autorun.exe
\Shell\directx\command - DirectX9\dxsetup.exe
\Shell\setup\command - X:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf114f97-a2cc-11dd-bd65-001372eb1325}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 01:14]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1E6615CE-B908-408D-AA6F-A974E981CC87} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: {BD5F5800-20DE-4098-A25E-DCFE731EDEBB} = 68.87.74.162,68.87.68.162
FF - ProfilePath - c:\documents and settings\(Julian)\Application Data\Mozilla\Firefox\Profiles\jili0d2s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:\documents and settings\(Julian)\Application Data\Mozilla\Firefox\Profiles\jili0d2s.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 17:53:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3346521694-2704296557-2109715616-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3346521694-2704296557-2109715616-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1118F314-62C0-81B7-5F41-BA22CC3D3019}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oahdbpencjiobhefhdaoefokmkeccl"=hex:64,61,69,6e,6e,64,69,6f,00,70
"oadfbopefcondgnpjccofioabialjk"=hex:6a,61,68,6e,61,64,69,6b,65,6e,66,6c,62,6b,
6a,70,69,6e,66,6c,00,17
"najehmhgionfngpbaibadnminpac"=hex:6a,61,68,6e,61,64,69,6b,65,6e,66,6c,62,6b,
6a,70,69,6e,66,6c,00,17

[HKEY_USERS\S-1-5-21-3346521694-2704296557-2109715616-1005\Software\SecuROM\License information*]
"datasecu"=hex:96,c5,a6,b6,19,90,77,e5,02,34,0e,54,0f,38,4e,b1,59,ec,74,02,5b,
fd,28,97,b0,65,a4,09,8a,7e,f2,3f,f6,e0,f8,5b,5a,cb,3d,66,48,14,53,71,e9,e3,\
"rkeysecu"=hex:df,8b,e2,3d,be,75,ce,b4,df,b9,4a,a8,11,3d,b5,c5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-03-07 17:55:16
ComboFix-quarantined-files.txt 2009-03-07 22:55:14

Pre-Run: 15,687,557,120 bytes free
Post-Run: 15,674,097,664 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
288 --- E O F --- 2009-02-25 08:01:11

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:06 AM

Posted 07 March 2009 - 06:34 PM

Hello Stealthspark,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Driver::
fdcc
adxapie

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

Upon reboot, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 stealthspark

stealthspark
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 07 March 2009 - 08:39 PM

Ran the script as directed.

Thank you so much for your help. I'm positive my system is entirely clean.

Although there was one problem left. I noticed google still sometimes redirected me to 3rd party advertisement sites. The location of my google result links was unnaturally long; this problem only happens when I use firefox.

Posted Image

Using Internet Explorer, or firefox on another computer, that link would simply go to http://www.google.com/

However, when I clear my cookies, I don't get the irregular link the first time I search. I set firefox to deny all cookies from google, and I never get the irregular links now.

Maybe this isn't the right place to ask, and you've been a gigantic help, but I'm just rather curious about this problem.

Thanks again.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:06 AM

Posted 08 March 2009 - 08:20 AM

Hello Stealthspark,

Just to make sure :
can you run DDS once more and post the log in your next reply please ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 stealthspark

stealthspark
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 08 March 2009 - 06:28 PM

As requested! DDS report included.



DDS (Ver_09-02-01.01) - NTFSx86
Run by (Julian) at 19:20:41.67 on Sun 03/08/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2560 [GMT -4:00]


============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:Program FilesIntelModem Event MonitorIntelMEM.exe
C:Program FilesCyberLinkPowerDVDDVDLauncher.exe
C:Program FilesLexmark 2300 Serieslxcgmon.exe
C:Program FilesLexmark 2300 Seriesezprint.exe
C:WINDOWSstsystra.exe
C:Program FilesAdobeReader 8.0ReaderReader_sl.exe
C:Program FilesRazerLycosarazerhid.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesNorton GhostAgentVProTray.exe
C:WINDOWSSystem32DLADLACTRLW.EXE
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesRazerDiamondback 3Grazerhid.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:program filessteamsteam.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSeHomeehRecvr.exe
C:Program FilesUberIconUberIcon Manager.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesNorton GhostAgentVProSvc.exe
C:WINDOWSsystem32nvsvc32.exe
svchost.exe
C:Program FilesAlcohol SoftAlcohol 120StarWindStarWindServiceAE.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32dllhost.exe
C:WINDOWSeHomeehmsas.exe
C:WINDOWSsystem32SearchIndexer.exe
C:WINDOWSsystem32lxcgcoms.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesRazerDiamondback 3Grazerofa.exe
C:WINDOWSsystem32dllhost.exe
C:Program FilesNorton GhostSharedDriversSymSnapService.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32SearchProtocolHost.exe
C:Documents and Settings(Julian)Desktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlaDLASHX_W.DLL
BHO: Java‚šž Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre6binssv.dll
BHO: Java‚šž Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [Steam] "c:program filessteamsteam.exe" -silent
uRun: [UberIcon] "c:program filesubericonUberIcon Manager.exe"
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [AlcoholAutomount] "c:program filesalcohol softalcohol 120axcmd.exe" /automount
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [IntelMeM] c:program filesintelmodem event monitorIntelMEM.exe
mRun: [DVDLauncher] "c:program filescyberlinkpowerdvdDVDLauncher.exe"
mRun: [ISUSPM Startup] "c:program filescommon filesinstallshieldupdateserviceISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [LXCGCATS] rundll32 c:windowssystem32spooldriversw32x863LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:program fileslexmark 2300 serieslxcgmon.exe"
mRun: [EzPrint] "c:program fileslexmark 2300 seriesezprint.exe"
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:windowsimeimkr6_1IMEKRMIG.EXE
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Lycosa] "c:program filesrazerlycosarazerhid.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Ad-Watch] c:program fileslavasoftad-awareAAWTray.exe
mRun: [Norton Ghost 14.0] "c:program filesnorton ghostagentVProTray.exe"
mRun: [DLA] c:windowssystem32dlaDLACTRLW.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [Diamondback] c:program filesrazerdiamondback 3grazerhid.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:program filesaimaim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202180480421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {BD5F5800-20DE-4098-A25E-DCFE731EDEBB} = 68.87.74.162,68.87.68.162
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1(julian)applic~1mozillafirefoxprofilesjili0d2s.default
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - component: c:documents and settings(julian)application datamozillafirefoxprofilesjili0d2s.defaultextensions{1392b8d2-5c05-419f-a8f6-b9f15a596612}componentsFFAlert.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpunagi2.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-1-25 64160]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2008-11-17 55024]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:windowssystem32dllhost.exe [2005-8-16 5120]
R3 LycoFltr;Lycosa Keyboard;c:windowssystem32driversLycosa.sys [2008-8-3 21888]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:windowssystem32driversDB3G.sys [2008-1-3 13225]
R3 SymSnapService;SymSnapService;c:program filesnorton ghostshareddriversSymSnapService.exe [2007-12-20 1553896]
S2 Ca533av;DC-T23, WDM Video Capture; [x]
S2 EFAW;EFAW;c:windowssystem32driversefasw.sys [2007-11-9 16680]
S2 EZWRIT3;EZWRIT3;c:windowssystem32driversezwrit3.sys [2007-11-5 12672]
S2 INIT4;INIT4;c:windowssystem32driversefasinit.sys [2007-11-9 11815]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-1-18 950096]
S3 APLOADER;APLOADER;c:windowssystem32driversApLoader.SYS [2007-11-7 21376]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:windowssystem32driversASPI32.SYS [2008-5-11 16512]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; [x]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2008-11-17 7408]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver; [x]
S3 USBCamera;DSC Still Image Capture (CA100); [x]

=============== Created Last 30 ================

2009-03-07 22:19 73,728 a------- c:windowssystem32diamondback.cpl
2009-03-07 20:32 389,120 a------- c:windowssystem32CF27106.exe
2009-03-07 02:43 <DIR> --d----- c:windowssystem32AGEIA
2009-03-03 00:07 <DIR> --d-hr-- c:documents and settings(julian)Recent
2009-03-01 18:25 22,912 a------- c:windowssystem32driverslgusbmodem.sys
2009-03-01 18:25 21,248 a------- c:windowssystem32driverslgusbdiag.sys
2009-03-01 18:25 12,672 a------- c:windowssystem32driverslgusbbus.sys
2009-03-01 18:25 <DIR> --d----- c:program filesLG Electronics
2009-03-01 00:00 <DIR> --d----- c:docume~1alluse~1applic~1ElectricSheep
2009-02-28 17:07 225,280 a------- c:windowssystem32rewire.dll
2009-02-28 17:04 <DIR> --d----- c:program filesImage-Line
2009-02-28 16:51 <DIR> --d----- c:program filesEnterbrain
2009-02-28 16:50 <DIR> --d----- c:program filescommon filesEnterbrain
2009-02-26 19:01 <DIR> --d----- c:program filesMP3Gain
2009-02-25 23:43 <DIR> --d----- c:docume~1(julian)applic~1Music Recognition
2009-02-24 20:36 1,089,593 -------- c:windowssystem32dllcachentprint.cat
2009-02-18 07:59 94,263 a------- c:windowsDLA.EXE
2009-02-18 07:59 89,264 a------- c:windowssystem32driversDRVMCDB.SYS
2009-02-18 07:59 61,500 a------- c:windowssystem32DLAAPI_W.DLL
2009-02-18 07:59 40,544 a------- c:windowssystem32driversDRVNDDM.SYS
2009-02-18 07:59 22,684 a------- c:windowssystem32driversDLARTL_N.SYS
2009-02-18 07:59 5,660 a------- c:windowssystem32driversDLACDBHM.SYS
2009-02-18 07:59 <DIR> --d----- c:windowssystem32DLA
2009-02-09 18:30 <DIR> --d----- c:program filesCitrix
2009-02-09 18:30 60,744 a------- c:documents and settings(julian)g2mdlhlpx.exe
2009-02-07 23:35 <DIR> --d----- c:program filesNorton Ghost
2009-02-07 23:19 <DIR> --d----- c:program filesSymantec
2009-02-07 23:17 128,104 a------- c:windowssystem32driversWimFltr.sys
2009-02-07 23:17 15,088 a------- c:windowssystem32driversvproeventmonitor.sys
2009-02-07 23:17 38,112 a------- c:windowssystem32driversv2imount.sys
2009-02-07 23:17 136,416 a------- c:windowssystem32driverssymsnap.sys
2009-02-07 23:16 <DIR> --d----- c:docume~1alluse~1applic~1Symantec

==================== Find3M ====================

2009-02-06 01:00 197 a------- C:Delme.bat
2009-01-31 02:14 15,688 a------- c:windowssystem32lsdelete.exe
2009-01-27 19:24 34 a------- c:documents and settings(julian)jagex_runescape_preferences.dat
2009-01-25 23:30 64,160 a------- c:windowssystem32driversLbd.sys
2009-01-16 22:35 3,594,752 -------- c:windowssystem32dllcachemshtml.dll
2009-01-14 17:11 38,496 a------- c:windowssystem32driversmbamswissarmy.sys
2009-01-14 17:11 15,504 a------- c:windowssystem32driversmbam.sys
2009-01-07 12:28 453,152 a------- c:windowssystem32NVUNINST.EXE
2008-12-19 05:10 70,656 -------- c:windowssystem32dllcacheie4uinit.exe
2008-12-19 05:10 13,824 -------- c:windowssystem32dllcacheieudinit.exe
2008-12-19 01:25 634,024 -------- c:windowssystem32dllcacheiexplore.exe
2008-12-19 01:23 161,792 -------- c:windowssystem32dllcacheieakui.dll
2008-12-11 06:57 333,952 -------- c:windowssystem32dllcachesrv.sys
2008-12-10 10:45 70,936 a------- c:windowssystem32PhysXLoader.dll
2007-01-29 00:14 56 a--shr-- c:windowssystem32306C1FB3F3.sys
2008-01-31 17:42 56 a--shr-- c:windowssystem32328C12221E.sys
2008-01-31 17:46 6,424 a--sh--- c:windowssystem32KGyGaAvL.sys

============= FINISH: 19:21:19.89 ===============

Attached Files



#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:06 AM

Posted 12 March 2009 - 05:05 PM

Hello Stealthspark,

That log doesn't show any problem either anymore.

The things you experienced may have been due to some remains in the FF cache.
Clearing out those from time to time is always a good thing to do, and it helps keeping loading times down.

ATF-Cleaner (by Atribune) is a good thing to have as well,
just click "select all" and let it clean up all left behind junk.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 stealthspark

stealthspark
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 27 March 2009 - 03:26 PM

THANK YOU SO MUCH.

The ATF Cleaner did the trick. I've been redirect free ever since I used it! I really appreciate your assistance, and I donated $10 for your trouble.

This is a great thing you do, keep at it.

Thanks again.

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:06 AM

Posted 27 March 2009 - 06:12 PM

Glad we could help, Stealthspark :thumbup2:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users